Spam Filter ISP Support

Spam Attack

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6892
Printed Date: 27 December 2024 at 11:15am

Topic: Spam Attack

Posted By: ITI Computers
Subject: Spam Attack
Date Posted: 04 November 2010 at 12:30pm

Hello,

We are seeing hundreds of connection attempts per minute to one of our domains APS2000.com, this has been going on for quite a while. I would like to know if there is anything I can do to stop these connections. I have a log file that I have zipped up but it is 33.5 MB. How do you want me to send it to you?

-------------
ITI Computers
Web Design and Hosting

Replies:

Posted By: yapadu
Date Posted: 04 November 2010 at 8:50pm

If the attack is coming from a limited number of addresses you could block them at your firewall.

-------------
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.

Posted By: LogSat
Date Posted: 04 November 2010 at 9:11pm

I've sent you a PM with the details on how to send us the file via FTP. As an FYI, SpamFilter has the following setting (which is enabled by default) that greatly helps preventing issues from such attacks:

Enable Cached IP Blocking - If an IP address sends more than a certain number of spam emails (3 by default) during a certain time interval (10 minutes by default), then it can be temporarily banned (blacklisted). All further connections from that IP address will be immediately rejected without allowing the sender to transmit any data. This should greatly reduce the load on the server. A banned IP address will be automatically removed from this temporary blacklist after a defined time interval (60 minutes by default). To prevent specific IPs to be added to this list, they can be added to DoNotAddIPToHoneypot SpamFilter.ini option.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: ITI Computers
Date Posted: 08 November 2010 at 10:30am

Thanks for the reply. I have uploaded the file named ITIComputers20101102.zip to the FTP account you sent me. I will look at that configuration option you mentioned and see if that does anything to stop this attack in the meantime.

Thanks,

Bill Turner

ITI Computers

-------------
ITI Computers
Web Design and Hosting

Posted By: ITI Computers
Date Posted: 08 November 2010 at 10:38am

Just checked the settings and the Enable Cached IP Blocking is already turned on.

Any other ideas?

-------------
ITI Computers
Web Design and Hosting

Posted By: LogSat
Date Posted: 08 November 2010 at 10:16pm

We received your log, and it was rather "unusual". Let me summarize what we see.

During the day your SpamFilter received 232,954 connections. Of these, there was a whopping (high/huge) number of 102,926 individual/unique IPs that attempted connections to SpamFilter. So each IP on average made just over 2 connections. This pretty much eliminates any single IP from sending large quantities of spam toward your network.

In addition, a very large number of connection attempts (91,830) was stopped in its tracks by the greylist filter, which prevented those connections from even attempting to send an email.

Over 83% of the emails in the logs were indeed sent to the aps2000.com domain, but depending on the domain's history and number of users when compared against the other domains you host, that could be normal.

We do see however that you have configured SpamFilter to tag spam instead of blocking it. Tagging spam emails as such and delivering them forces SpamFilter to accept the emails from the senders. If the email is accepted, the sender believes that the email is going to be delivered. So for all the spam emails you receive, to the senders (keep in mind these are mostly automated emails), when the spammers go back and analyze the statistics of their spam campaign, they will all result as in "good" spam emails, meaning they were all delivered. This will likely cause them to give a high reliability to the addresses they are spamming, causing the spam to increase. If you had configured SpamFilter to block such emails instead of tagging them and delivering them, hundreds of thousands of spam emails addressed to that domain would be blocked each week, making it a bit less likely that spam will be delivered to them in the future.

Do note however that if you start to stop such emails now, the change I described above would be very, very, very slow, as it will take months/years for the email databases spammers acquire to be updated.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: ITI Computers
Date Posted: 09 November 2010 at 9:55am

Thanks for the reply,

The APS domain has about 31 users, and they are not very active. So there is no way that there should be 83% of the total emails going to them. My guess would be less than 10% legit email usage.

From what you are saying, it seems like there are hundreds of possibly virus infected computers that are sending one or two emails per day. So there is no way to really stop those attacks until the owners fix the problems.

Unfortunately, we have to Tag and Deliver the spam to most of our clients because they see 1 to 10 per month in the spam folders that are legit emails coming from NEW clients that they have no way to know beforehand that those emails are coming.

I appreciate your help with this matter. If you can think of anything else, please let me know.

Many thanks,

Bill Turner

ITI Computers

-------------
ITI Computers
Web Design and Hosting